Safely displaying untrusted HTML

Safely displaying untrusted HTML

One
of the challenges in importing external RSS feeds for the annotations aggregator is
how to safely display untrusted HTML. Enter the SECURITY attribute
of the IFRAME, a great way of instructing the browser to render the contents of the
frame in the Restricted
Sites zone,
thus (by default) limiting the capabilities of HTML in that frame to markup and not
much else.

To
cut a long story short, the client-side component encodes the incoming HTML from the
RSS feed and ships it around in that HtmlEncoded state through a series of transforms
to provide sorting, create borders and generally beautify. Just before it’s rendered
in the browser, there’s a final decoding step to decode that content back into HTML
so that the markup is interpreted for display to the end user.

Since
there’s no built-in client side implementation, here’s a rendition of Server.HtmlDecode
in Javascript: